does osquery have a way to gather was VSCode exten...
# generalz
Zach Zeid
11/17/2022, 6:59 PMdoes osquery have a way to gather was VSCode extensions are installed on a Mac?
g
Gavin
11/17/2022, 7:20 PMYou can write a custom extension to shell out to code and run the --list-extensions
Gavin
11/17/2022, 7:24 PMOr use the
file Copy code
SELECT
f.filename,
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime,'unixepoch') AS file_last_access_time,
datetime(f.mtime,'unixepoch') AS file_last_modified_time,
datetime(f.ctime,'unixepoch') AS file_last_status_change_time,
datetime(f.btime,'unixepoch') AS file_created_time,
ROUND((f.size * 10e-7),4) AS size_megabytes
FROM file f
LEFT JOIN users u ON f.uid = u.uid
LEFT JOIN groups g ON f.gid = g.gid
WHERE ((f.directory like "/home/%%/.local/share/JetBrains/%/")
OR (f.directory like "C:\users\%\AppData\%\JetBrains\%\Plugins\")
OR (f.directory like "/Users/%/Library/Application Support/JetBrains/%/plugins/"))
AND (
(filename not like "%.xml") AND (filename not like "%.json") AND
(filename not like "%.etag")
);z
Zach Zeid
11/17/2022, 8:09 PMthis helps thank you!
s
seph
11/17/2022, 10:09 PM
They’re stored in user homedirs. So you can dig through them, and parse the json. (Though there’s no native osquery json table)
5 Views